By Brandes Elitch
The Electronic Transactions Association's Strategic Leadership Forum held Oct. 12 to 14, 2009, in New York focused on the "future of payments-today" and was an opportunity for payments industry leaders to get acquainted, make deals and attend presentations geared to help them focus their efforts most strategically in a landscape that is always changing.
Topics of interest included emerging payment types, developing technologies that will drive adoption, current legislative and regulatory developments, risk management and data security. Following is an overview of what was covered.
Six speakers discussed emerging payments. The challenge is to determine which of the many new ideas swirling around the payment system will be mainstream products five years from now and how ISOs can make money with whatever succeeds.
Five years ago, who would have predicted that PayPal Inc. would create a new payment platform or that social networking sites could replicate this? These new platforms were created without any involvement from ISOs, which is another way of saying there is no revenue path for an ISO in these platforms.
If ISOs derive revenues from the spread between their buy rate, and what they charge their merchants, and credit card share of market declines precipitously, where will this leave the ISO community? The watchword here is "disintermediation," meaning running transactions on something other than the MasterCard Worldwide and Visa Inc. debit and credit rails. The running joke here was, "Flat is the new up."
Take a look at Revolution Money Inc. The individual behind this company is an original backer of AOL LLC (formerly American Online Inc.). He wants to start a new payment network that does not involve interchange, which he likens to a $70 billion "silent tax" for merchants - in some cases their second biggest line item expenditure. Moreover, interchange goes up every year, and we live in a technology industry where Moore's Law should apply (price is halved as capacity doubles).
His model is to use a PIN-based card that runs on the PIN debit rails, charge the merchant 50 basis points and still provide reward points for consumers. He said his startup cost was $100 million, and in its first year, Revolution Money signed 1 million merchants out of a 5 million merchant universe.
He didn't use ISOs to sign up those million merchants. He didn't use banks. It took Visa 20 years after the first ATM PIN debit cards to show the banks how they could make money by issuing debit cards - by creating signature debit cards that required interchange - and these banks aren't about to give up that revenue stream.
So how did he sign up a million merchants? We don't know. But, clearly, if the total cost to the merchant is 50 basis points, which includes a cardholder rewards program, where would the money come from to pay an ISO for signing the merchant? And why would an ISO sell Revolution Money?
PayPal and Amazon.com already have 100 million acc-ounts on file that include shipping information and payment preferences. Now, PayPal wants to open up its platforms to online software vendors. Soon there will be an entire class of payment providers who will bypass the card brands.
Someone mentioned that now that the card brands are separated from their banks, and are for-profit companies with shareholders to answer to, they will develop their own products too, or simply buy the ones that fit their model. Visa has a $60 billion market cap; Mastercard's is $30 billion. Their mandate is to grow, and they will be aggressive in this. That is a new development.
Brian McLoughlin is a Partner with the Los Angeles-based venture capital firm GRP Partners, which specializes in transaction processing and was recently listed as one of the top 25 venture capital firms by Red Herring magazine.
He showed a slide with all of the current alternative payment providers arrayed in a matrix, with one axis being online/offline and the other being major card brand networks/alternative networks. Please see the accompanying chart entitled "Alternative payments landscape."
McLoughlin sees several key themes in the online world: cheaper solutions, online wallets and open application programming interfaces, and mobile commerce. He pointed out that a variety of online automated clearing house solutions exist, but these are not any easier to use for the consumer.
He included two online PIN debit solutions, Acculynk and HomeATM, in the chart. He also identified more flexible ways to pay online: PayPal, Google Checkout and Amazon Payments; while these "established" alternatives ride the card company rails, their brands command front and center, not the Visa and MasterCard brands.
McLoughlin said the next payment frontier is "in-store, with a mobile phone." Mobile commerce can be billed either on the credit card bill or on the telephone carrier bill. Historically, carriers have charged such high discount rates that this has only worked for things like ring tones and games, but that may change soon.
The future holds at least three solutions: first, apps with bar code presentation; second, near field communication and mobile wallet providers, such as Bling Nation Ltd. and ViVOtech Inc; and third, carrier-driven solutions.
Finally, he sees value-added software as another threat to the ISO model. This is where the merchant acquiring sale happens "upstream," McLoughlin noted. It is bundled in the enterprise software - a total disintermediation of the traditional acquirer.
Looking at the matrix, the question is, how does an ISO determine which products to concentrate on? The answer: Each ISO has a different set of customers. Study the needs of your customers, and focus on the products that fulfill those needs. Look for evidence of success; if certain things are working and have a proven track record, focus your resources there.
Mobile payments can employ a handset or a wireless terminal. For example, Apple Inc. retail stores have no registers. Clerks book sales on mobile devices. This mobility can also be used for line busting, for example, at Costco Wholesale Corp. stores.
The speakers in this group agreed there is no payback today for merchants using contactless terminals or any device that can only do one kind of payment.
In the case of wave or tap devices, one speaker said, "they're unplugged half the time, and there's just no consumer demand for them." And banks are not moving into contactless cards.
Other products whose time has not yet come are chip cards and the Visa POS. However, retailers want to get closer to their customers. Quick service restaurants need speed and convenience. So major efforts will continue in this space.
One speaker put things in perspective by saying that many ISOs still sell legacy products. He mentioned that his doctor just did a five-year lease on a five-year-old dial countertop Dassault.
Evan Schuman spoke about data security, and his Web site, www.storefrontbacktalk.com, should be mandatory reading for any ISO focusing on large retailers. Schuman spoke about the recently announced Wal-Mart Stores Inc. data breach, which started in June 2005.
Wal-Mart had four years of customer data stored unencrypted. Eight hundred machines were attacked, and nothing was taken except the source code.
The source of the breach was an ex-employee virtual private network account that had not been deactivated. The code crashed the server. The company found the code and discovered that files had been planted and "the logs showed no successful attempts at penetration."
Schuman said that no data was breached because today, "you need 100 million names for the theft to be worthwhile to the thief," a truly amazing statistic that shows the sophistication of the organized crime behind these attacks. Stolen data has a short shelf life; thieves have to use it right away to be successful.
Another point is that the card brands' zero liability programs are a powerful shield. When there is a breach, consumers don't lose money, and retailers don't lose revenue. This is why class action lawsuits typically don't go anywhere.
A philosophical split exists on how to store data. On one hand, you could use tokenization - take the data out of the network right away and store the token far away. But if a breach occurs, you will still be liable if you have deep pockets.
In some cases, you still have to convert the token back to a real card number, for chargebacks and so forth, so how can the data ever really be "out of scope"? And what if your tokenization vendor goes bankrupt? You end up being responsible for something you cannot control.
The concept of safe harbor being a fallacy was discussed. Ultimately, the speakers concluded it is absurd for the Payment Card Industry (PCI) Data Security Standard (DSS) to cast the same net on both big-box retailers and small merchants - it is too broad.
Other advice: Read the technology blogs. Make sure your management, including your board, is involved in managing risk. Have a recovery plan, and determine the key threats to your business. Remember, you are deploying technology that is three years old, and the cyber thieves figured out how it works a year ago.
Regarding government oversight of the credit card industry, the states argue that federal agencies should be a floor, not a ceiling. Questions in this seminar included whether exemptions should be granted for service providers who don't control the terms of the financial products (for example, an ISO cannot control interchange) and whether merchants should be given anti-trust immunity and allowed to bargain collectively.
There are two points of view pertaining to interchange. One is that interchange is a "privately regulated cartel." However, it's difficult to say that a regulator could do a better job. A U.S. General Accounting Office study on interchange is due out in November 2009, but so far there appears to be no evidence that interchange contributes to a restraint of trade.
Another question is whether the federal government should have a standard defining what constitutes a security breach. A consumer's name and telephone number can be found in a telephone book, so is that sensitive data? And what if you don't have a cardholder's address? How can you give notice of a breach?
The speakers also gave a synopsis of state legislation. In many cases, legislation was ill-conceived and overly broad. The lesson learned: As ISOs, work closely with your state retailer's association, and your legislators, before legislation is introduced. Be involved with working groups in the legislature, or you will see legislation that you don't like.
Maneesha Mithal from the Federal Trade Commission did a presentation on the role of the FTC in enforcing such legislation as the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the Fair and Accurate Credit Transaction Act (FACTA) and the FTC Act, which prohibits "unfair and deceptive practices." She discussed the FTC's jurisdiction and authority in three areas: data security, breach notification and FACTA's Red Flag Rule.
Her message: Keep your promises, share information only with those who should receive it, don't retain information unless you have a need for it, and identify well-known security risks and take measures to address them. Implement the easy fixes; the standard is reasonableness.
The closing CEO Roundtable raised interesting questions. Why should an acquirer have the liability for damages from a breach that was caused by a merchant's bad business practices?
Liability is also cost prohibitive for acquirers: The merchant is marking up his cost of goods sold by 200 percent, and the ISO is making 10 basis points.
It was concluded that breaches are a process problem, not a technology problem; no single entity should bear the full burden if all parties are responsible, and regulators should focus on outcomes, not prescriptive measures.
One panelist said that the PCI DSS is a false hope because there is no way to prove the absence of something. But another panelist countered that the PCI is a good thing. It is a set of best practices, and if we start with good governance, the byproduct will be compliance.
Others pointed out that some acquirers are hooked to 14 different bank systems; there are too many points of vulnerability. Also, a highly sophisticated criminal ecosystem consisting of tens of thousands of people exists. And they are well organized, well financed, have good management skills and even outsource their programming to India.
Participants agreed that selling security to all the mom-and-pop merchants is almost impossible. Ultimately, an ISO function is to reach out to small merchants and supply new hardware. If you can replace all the old Zon Jrs and Excels with state-of-the-art hardware, you will help your merchants comply.
A number of other subjects addressed during the meeting deserve mention. These include loyalty products; the direct-to-consumer movement (Green Dot Corp. was mentioned as a successful example); decoupled debit; employee incentive and payroll cards; and how to create long-term value by taking into account regulatory and compliance issues when designing products.
This was a very worthwhile conference. The ISO world is changing rapidly on all fronts, and the ISOs that have a game plan and a strategy to deal with these issues will be the most successful.
Brandes Elitch, Director of Partner Acquisition for CrossCheck Inc., has been a cash management practitioner for several Fortune 500 companies, sold cash management services for major banks and served as a consultant to bankcard acquirers. A Certified Cash Manager and Accredited ACH Professional, Brandes has a Master's in Business Administration from New York University and a Juris Doctor from Santa Clara University. He can be reached at email@example.com.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next